only work with 5 users or clients

Tom Miller tom at hostwebase.com
Wed Oct 4 04:40:18 CEST 2006


Thank you so much for respond to my issues.
I think you are right.  I am missing something on the
Cisco 7204 but I don't now what it is.

I have captured debug log files from both radius and Cisco.
Please let me know if you want me to post them.



*****Here is what I have for our cisco 7204.********

aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login telnet line
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting nested
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
enable secret 5 $1$xxxxxxxxxxxxxxxxxxxxxx/

vpdn enable
vpdn aaa override-server 172.17.17.17
!
radius-server host 172.17.17.17 auth-port 1645 acct-port 1646



**** Here is one of our users profile (users file) ****


campbell          Auth-Type := Local, User-Password 
== "1etelrx23"
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        Framed-IP-Address = x.x.172.7,
        Framed-IP-Netmask = 255.255.255.128,
        Framed-MTU = 1492

#
DEFAULT Service-Type == Framed-User
        Framed-IP-Address = 255.255.255.254,
        Framed-MTU = 1492,
        Service-Type = Framed-User,
        Framed-Protocol = PPP,
        MS-Primary-DNS-Server = x.x.230.195,
        MS-Secondary-DNS-Server = x.x.230.196,
        Session-Timeout = 86400



What am I missing?



Thanks,

Tom














---- Original message ----
>Date: Mon, 02 Oct 2006 09:18:59 +1000
>From: James Wakefield <jamesw at deakin.edu.au>  
>Subject: Re: only work with 5 users or clients  
>To: tom at hostwebase.com, FreeRadius users mailing list 
<freeradius-users at lists.freeradius.org>
>
>Tom Miller wrote:
>> I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and 
>> freeradius ( 1.0.4)
>> 
>> I am having problem when number of users (clients) 
>> increase from 6 and up.
>> 
>> It worked fine when I have only 5 users (clients) using
>> the system.
>> 
>> 
>> I found the max_requests was set at 1024 in radiusd.conf 
and 
>> have inscrease the number up to 50 clients (50x256=12800)
>> 
>> max_requests = 12800
>> 
>> 
>> 
>> However,  It doesn't seem to have any effect. What am I 
doing
>> wrong.
>> 
>> 
>> One things I noticed.  The two users that can not connect 
>> will sent incomplete information
>> to the radius server from NAS (7204) such as:
>> 
>> 
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 
192.168.17.1:1645, 
>> id=200, length=95
>>         NAS-IP-Address = 192.168.17.1
>>         NAS-Port = 3
>>         NAS-Port-Type = ISDN
>>         User-Name = "knguyen at abc.net"
>>         CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>> 
>> auth: user supplied CHAP-Password matches local User-
Password
>> Sending Access-Accept of id 200 to 192.168.17.1:1645
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>>         Framed-IP-Address = 209.101.222.12
>>         Framed-IP-Netmask = 255.255.255.128
>>         Framed-MTU = 1492
>> Finished request 16
>> Going to the next request
>> 
>> 
>> 
>> 
>> *********** This is a log when it connected.   It 
included 
>> the Tunnel server and client end point *********
>> 
>> 
>> 
>> rad_recv: Accounting-Request packet from host 
>> 192.168.17.1:1646, id=199, length=232
>>         NAS-IP-Address = 192.168.17.1
>>         NAS-Port = 6
>>         NAS-Port-Type = ISDN
>>         User-Name = "knguyen at abc.net"
>>         Acct-Status-Type = Stop
>>         Acct-Authentic = RADIUS
>>         Service-Type = Framed-User
>>         Acct-Session-Id = "00000CD8"
>>         Framed-Protocol = PPP
>>         Tunnel-Server-Endpoint:0 = "10.10.6.5"
>>         Tunnel-Client-Endpoint:0 = "10.10.6.6"
>>         Tunnel-Type:0 = L2TP
>>         Tunnel-Client-Auth-Id:0 = "12345678"
>>         Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS"
>>         Acct-Tunnel-Connection = "13441125"
>>         Framed-IP-Address = 209.101.222.12
>>         Acct-Terminate-Cause = Admin-Reset
>>         Acct-Input-Octets = 281672
>>         Acct-Output-Octets = 266074
>>         Acct-Input-Packets = 4390
>>         Acct-Output-Packets = 4154
>>         Acct-Session-Time = 1967
>>         Acct-Delay-Time = 0
>>   Processing the preacct section of radiusd.conf
>> 
>
>This is an accounting stop record, as opposed to the access 
accept 
>record you display above and below.  It isn't necessarily 
indicative of 
>what freeradius sent to the NAS, or anything else that 
happened when the 
>client connected.
>
>> --- Walking the entire request list ---
>> Waking up in 6 seconds...
>> rad_recv: Access-Request packet from host 
172.17.17.1:1645, 
>> id=200, length=95
>>         NAS-IP-Address = 172.17.17.1
>>         NAS-Port = 3
>>         NAS-Port-Type = ISDN
>>         User-Name = "knguyen at eintegration.net"
>>         CHAP-Password = 
0xcc3aeb78c7482c25ab08dc0625fcb4007e
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>> 
>> auth: user supplied CHAP-Password matches local User-
Password
>> Sending Access-Accept of id 200 to 172.17.17.1:1645
>>         Service-Type = Framed-User
>>         Framed-Protocol = PPP
>>         Framed-IP-Address = 38.101.172.12
>>         Framed-IP-Netmask = 255.255.255.128
>>         Framed-MTU = 1492
>> Finished request 16
>> Going to the next request
>> 
>> 
>> What am I missing here?
>
>How are you authenticating and authorizing your users?  
users file, some 
>sort of database or directory?  Could you send some 
relevant excerpts 
>from those sources, eg: some users file stanzas if you're 
using the 
>users file, objects from your LDAP directory in LDIF if 
you're using LDAP?
>
>My hunch is that freeradius isn't configured to send the 
necessary 
>attributes and your NAS is defaulting those attributes, but 
can't do 
>that for more than 5 concurrent users.  Unless you're 
observing 
>considerable delay between the receipt of access-request 
and the sending 
>of access-accept (ie: more than a couple of seconds), or 
freeradius is 
>sending different attributes with the access-accept for the 
same user 
>when things seem to be going wrong to when they're going 
right, I think 
>you're missing some attributes or your NAS is misconfigured 
or both.
>
>
>Cheers,
>-- 
>James Wakefield,
>Unix Administrator, Information Technology Services Division
>Deakin University, Geelong, Victoria 3217 Australia.
>
>Phone: 03 5227 8690 International: +61 3 5227 8690
>Fax:   03 5227 8866 International: +61 3 5227 8866
>E-mail:   james.wakefield at deakin.edu.au
>Website:  http://www.deakin.edu.au



More information about the Freeradius-Users mailing list